- Deploy Multiple Clusters (Beta) >
- Secure Multi-Cluster Deployments with TLS
Secure Multi-Cluster Deployments with TLS¶
On this page
Overview¶
To secure your multi-cluster deployment with TLS encryption, run the multi-cluster TLS tool provided by MongoDB to automate the TLS configuration. The tool runs OpenSSL commands on the specified central cluster to generate server certificates for each member cluster and then updates the Kubernetes Operator configuration on each member cluster.
Alternatively, you can run OpenSSL commands directly on each member cluster to generate server certificates and CSRs, and then update the Kubernetes Operator configuration on each member cluster.
Prerequisites¶
Before you secure your multi-cluster MongoDB deployment using TLS encryption, complete the following tasks:
- Follow the steps in the Multi-Cluster Quick Start Prerequisites.
- Deploy a multi-cluster using a Multi-Cluster Quick Start.
- Install OpenSSL.
Configure TLS with the Multi-Cluster TLS Tool¶
Run the multi-cluster TLS tool on the specified central cluster. The tool runs OpenSSL commands and takes the following actions:
- On each member cluster, uses a CA key and root certificate that you specify, or generates a new self-signed CA certificate and key if you don’t specify a CA key and root certificate.
- Generates each cluster’s Certificate Signing Request (CSR) and server certificates for each member cluster’s host.
- Based on these certificates and a CSR, creates a cluster certificate secret for each member cluster. Each cluster certificate secret consists of all generated server certificates and each member cluster host’s secret key. The host’s secret key contains the server certificate concatened with the cluster certificate key.
- Creates an
issuer-ca
ConfigMap in each member cluster that has the CA root certificate. - Updates the MongoDB multi-cluster resource with the ConfigMap’s name and TLS security settings.
Run the multi-cluster TLS tool.¶
Change to the directory to which you cloned the repository.
Run the multi-cluster TLS tool. Specify the following parameters to the tool:
- The CA key and root certificate for your organization, if you have the CA root certificate. If you don’t have a CA root certificate, specify the Common Name (CN) and the multi-cluster TLS tool generates a self-signed CA key and root certificate.
- The MongoDB multi-cluster resource name.
- The central cluster name and namespace.
- The country, state, and name of the organization for the Certificate Signing Request (CSR).
The following example shows how to run the tool if you have a CA key and root certificate:
The following example shows how to run the tool if you don’t have a CA key and root certificate. In this case, use the
common-name
parameter to specify the Common Name (CN) of the self-signed CA root certificate that the tool will generate:
Verify that the MDB resources are running.¶
For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:
In the central cluster, run the following commands to verify that the MongoDBMulti
CustomResource
is in the running state:
Configure TLS with OpenSSL¶
In this procedure you:
- Use OpenSSL to generate member cluster’s CA root certificates and CSRs, and server certificates for each member cluster’s host.
- Based on these certificates and CSRs, use OpenSSL to create the member cluster certificate secrets. Each cluster certificate secret consists of all generated server certificates and each member cluster host’s secret key. The host’s secret key contains the server certificate concatened with the cluster certificate key.
- In each member cluster, create the ConfigMap that has the CA root certificate.
- Update the MongoDB multi-cluster resource with the ConfigMap’s name and TLS security settings.
Use OpenSSL to generate CA certificates, CSRs, and server certificates.¶
(Optional). If you don’t have a CA key and root certificate for your organization, generate a CA key with genrsa. Skip this step if you already have a CA key.
(Optional). Run openssl req to generate a CA root certificate signed by the CA key generated in the previous step. Skip this step if your organization already has a CA root certificate that you can use to secure your multi-cluster deployment.
For each member cluster, generate a key for the Certificate Signing Request (CSR) with genrsa:
For each member cluster, generate a CSR using its key with openssl req.
For each member cluster, using the generated CA key, root certificate, and the CSR, generate a server certificate. The following procedure uses openssl req in combination with
bash -extfile
andprintf
to first contstruct asubjectAltName
parameter, and then inject it viaprintf
as the value intobash -extfile
.
Create a ConfigMap that contains the CA root certificate.¶
Run the following command on each member cluster to create a ConfigMap that contains the CA root certificate:
Create a certificate secret for each member cluster.¶
For each member cluster, create a cluster certificate secret of the type
generic
named clustercert-{resource name}-cert
with all server
certificates generated in step 2 of this procedure.
For example, if the first and third member clusters are three-node
MongoDB replica sets, and the second member cluster has two MongoDB nodes,
to to create a cluster certificate secret on $MDB_CLUSTER_1_FULL_NAME
,
run the following command:
The commands in this step lead to the following results:
The cluster certificate secret contains all server certificates generated in Step 2 of this procedure.
Each member cluster’s host contains a corresponding secret key,
resource name-cluster index-host index-pem
.This key contains a server certificate generated for that host in Step 2,
resource name-cluster index-host index.crt
, concatenated with the cluster certificate key,cluster-X-cert-key.key
, also generated in Step 2.
Run the same command as in the previous step for two other clusters in
the example multi-cluster deployment, $MDB_CLUSTER_2_FULL_NAME
and
$MDB_CLUSTER_3_FULL_NAME
.
Update the MongoDB multi-cluster resource and configure TLS options in it.¶
Update the MongoDB multi-cluster resource with security settings from the Kubernetes Operator MongoDB resource specification. The resulting configuration should look as follows:
Verify that the MDB resources are running.¶
For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:
In the central cluster, run the following commands to verify that the MongoDBMulti
CustomResource
is in the running state: